SQL Injection Attacks: Is Your Data Secure? .NET Edition

SQL injection is one of the most common ways that hackers gain access to your database. Do you know how to protect your data from malicious users? This session will provide an overview of how SQL injection works as well as steps to prevent it from happening to you. We'll examine both .NET and T-SQL solutions, as well as why some commonly used techniques aren’t as secure as many people think. If you ever capture user inputs to store in the database or write dynamic SQL queries then this session is for you.

Hard to pin point exactly who first discovered SQL injection. DO know that in 1998 already appearing in hacker zines. This examples is showing a SQL query that’s variabalized in some app code

- Web 2.0, shiny buttons and every company trying to make money online. Problem was, no one knew how to do security. Unless you had a really security conscious developer, you were out of luck. Open Web Application Security Project was formed because a group of people realized needed to create education, information about the types of attacks out there. Put together top 10 list In the initial years, these ranked by guessing/first hand experience – no statistics available SQL and other injection attacks ranked as #6.

16.
Common Misconceptions
“Isn’t it the DBAs job to protect the database?”
True. But multiple layers of security are better than one.
Front end validation doesn’t stop malicious users Server side validation does

17.
Common Misconceptions
“I’m not important enough to get hacked”
Automated injection tools target everyone
https://github.com/sqlmapproject/sqlmap/wiki/Techniques

18.
Common Misconceptions
“I use an ORM to code my SQL queries”
ORMs are still vulnerable if you need to pass an argument that can’t be
parameterized by SQL Server or if you use a vulnerable stored procedure
Other libraries, like the LINQ Dynamic Query Library, try to mitigate this but are also not perfect
https://stackoverflow.com/questions/8738953/is-injection-possible-through-dynamic-linq